From owner-freebsd-questions Thu Aug 9 22:58:57 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 2D88337B403 for ; Thu, 9 Aug 2001 22:58:50 -0700 (PDT) (envelope-from ryan@sasknow.com) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id XAA50206; Thu, 9 Aug 2001 23:58:47 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Thu, 9 Aug 2001 23:58:47 -0600 (CST) From: Ryan Thompson To: Wing Tim Cc: freebsd-questions@freebsd.org Subject: Re: Snoop configuration In-Reply-To: Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Wing Tim wrote to ryan@sasknow.com: > Hi, Ryan, > Thank you very much for your reply! Then can I still use the snoop > protocol in FreeBSD with tcpdump? That is, can I snoop data going to a > particular interface? > Thanks! Yes, but in FreeBSD, this is done with the Berkeley Packet Filter (bpf). See bpf(4) for a background, but, in particular, see tcpdump(1). - Ryan > Regards, > Wing > > > > >From: Ryan Thompson > >To: Wing Tim > >CC: freebsd-questions@freebsd.org > >Subject: Re: Snoop configuration > >Date: Thu, 9 Aug 2001 23:06:51 -0600 (CST) > > > >Wing Tim wrote to ryan@sasknow.com: > > > > > Hi, Ryan, > > > > > > My computer that has FreeBSD installed has 2 ethernet card - one > > > connects to the Internet and the other connects to a WaveLAN > > > transmitter. Can I treat this WaveLAN transmitter as a tty and > > > snoop the data onto it? > > > >No. snp(4) devices are especially designed for watching ttys. > > > >If you want to monitor raw network traffic, tcpdump(1) is what you want. > >(I believe that was suggested earlier in this thread, but, for some > >reason, it seemed like you wanted to watch ttys). > > > >Running tcpdump(1) puts the specified network interface into promiscuous > >mode, which allows the kernel to grab the transmitted packets. tcpdump(1) > >has several options to control, filter, and format its output, but, the > >basic syntax of it is: > > > > tcpdump -i /dev/eth0 > > > >Where "eth0" is the device name of your network interface card. Run > >ifconfig -a to get the device names of your network cards if you aren't > >sure. > > > >You will want to read the man page for tcpdump to fine tune it to output > >the data that you want. Myself, and others on this list can probably help > >you to control the output of tcpdump, if we know exactly what you need > >displayed. > > > > > >So, again, in short... > > > >If you want to watch terminals, to see what shell users are doing on your > >machine (this has plenty of uses.. technical support, troubleshooting, > >monitoring), then you want to use snp(4) and watch(8). > > > >If, on the other hand, you want to monitor network traffic (identifying > >network attacks, verifying firewall functionality, troubleshooting network > >services, looking at physical packet flow, etc), then tcpdump(1) is the > >answer. > > > > > > > Thanks! > > > > > > > > > > > > > > > > Regards, > > > Wing > > > > > > > > > > > > >From: Ryan Thompson > > > >To: Wing Tim > > > >CC: alex@big-blue.net, bwatts@corp.netcom.ca, > >freebsd-questions@FreeBSD.ORG > > > >Subject: Re: Snoop configuration > > > >Date: Thu, 9 Aug 2001 21:54:43 -0600 (CST) > > > > > > > >Wing Tim wrote to alex@big-blue.net: > > > > > > > > > Hi, > > > > > Thank you very much! The snoop has started in my machine. > > > > > After typing "sh MAKEDEV snp0", it asked me to enter a device > >name, > > > >what > > > > > should I input? I input "snp0" but the error "watch: fatal: cannot > > > >attach to > > > > > tty" occurs. What does that "device name" mean actually? Is that the > > > >device > > > > > that buffers data? > > > > > By the way, according to my understanding, snoop protocol is > >something > > > > > that buffering data in a certain device. Does snoop in FreeBSD have > > > >similar > > > > > function? > > > > > > > > > > > >Hi Wing, > > > > > > > >Now that you've got the devices created, you need to tell watch(8) > >which > > > >tty you want to snoop on. It helps if you run the command "who" (or > > > >"finger", or "w" if you prefer), to see who is on-line, and on which > >ttys. > > > > > > > >root# who > > > >root ttyv0 Aug 8 12:03 > > > >ryan ttyv1 Aug 8 10:09 > > > >ryan ttyv3 Jul 27 10:41 > > > >darren ttyp0 Aug 7 13:31 > > > >wayne ttyp1 Aug 5 17:43 > > > > > > > >If you want to snoop on darren, who is logged on to "ttyp0", just enter > > > >"ttyp0" as the device to snoop in watch(8): > > > > > > > >root# watch ttyp0 > > > > > > > > > > > > > > > > > Thanks! > > > > > > > > > > Regards, > > > > > Wing > > > > > > > >-- > > > > Ryan Thompson > > > > Network Administrator, Accounts > > > > > > > > SaskNow Technologies - http://www.sasknow.com > > > > #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 > > > > > > > > Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon > > > > Toll-Free: 877-727-5669 (877-SASKNOW) North America > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > > >with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > _________________________________________________________________ > > > Get your FREE download of MSN Explorer at > >http://explorer.msn.com/intl.asp > > > > > > > > > >-- > > Ryan Thompson > > Network Administrator, Accounts > > > > SaskNow Technologies - http://www.sasknow.com > > #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 > > > > Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon > > Toll-Free: 877-727-5669 (877-SASKNOW) North America > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message